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We consider the synthesis of distributed implementations for specifications in Prompt Linear Tempo¬ 
ral Logic (PROMPT-LTL), which extends LTL by temporal operators equipped with parameters that 
bound their scope. For single process synthesis it is well-established that such parametric extensions 
do not increase worst-case complexities. 

For synchronous systems, we show that, despite being more powerful, the distributed realizabil¬ 
ity problem for PROMPT-LTL is not harder than its LTL counterpart. For asynchronous systems we 
have to consider an assume-guarantee synthesis problem, as we have to express scheduling assump¬ 
tions. As asynchronous distributed synthesis is already undecidable for LTL, we give a semi-decision 
procedure for the PROMPT-LTL assume-guarantee synthesis problem based on bounded synthesis. 


1 Introduction 

Linear Temporal Logic ifT^ (LTL) is the most prominent specification language for reactive systems 
and the basis for industrial languages like ForSpec [21 and PSL [21- Its advantages include a com¬ 
pact variable-free syntax and intuitive semantics as well as the exponential compilation property, which 
explains its attractive algorithmic properties: every LTL formula can be translated into an equivalent 
Biichi automaton of exponential size. This yields a polynomial space model checking algorithm and a 
doubly-exponential time algorithm for solving two-player games. Such games solve the monolithic LTL 
synthesis problem: given a specification, construct a correct-by-design implementation. 

However, LTL lacks the ability to express timing constraints. For example, the request-response 
property G{req — Fresp) requires that every request req is eventually responded to by a resp. It is 
satisfied even if fhe waiting times befween requesfs and responses diverge, i.e., if is impossible fo require 
fhaf requesfs are granfed wifhin a fixed, buf arbifrary, amount of time. While it is possible to encode an 
a-priori fixed bound for an evenfually info LTL, fhis requires prior knowledge of fhe sysfem’s granularify 
and incurs a blow-up when franslafed fo aufomafa, and is fhus considered impracfical. 

To overcome fhis shorfcoming of LTL, Alur el al. inlroduced paramefric LTL (PLTL) [Tl, which 
exfends LTL wilh parameterized operalors of fhe form F<;c and G<y, where x and y are variables. The 
formula G{req —F<;c resp) expresses lhal every requesl is answered wifhin an arbifrary, buf fixed, num¬ 
ber of steps a{x). Here, a is a variable valuation, a mapping of variables to natural numbers. Typically, 
one is interested in whether a PLTL formula is satisfied wilh respect to some variable valuation, e.g., 
model checking a transition system against a PLTL specification (p amounts to determining whether 
there is an a such that every trace of ^ satisfies (p wilh respect to a. Alur et al. showed that the PLTL 
model checking problem is PSPACE-complete. Due to monotonicity of the parameterized operators, one 
can assume that all variables y in parameterized always operators G<j. are mapped to zero, as variable 
valuations are quantified existentially in fhe problem slalemenfs. Dually, again due fo monofonicily, 
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one can assume that all variables x in parameterized eventually operators F<;c are mapped to the same 
value, namely the maximum of the bounds. Thus, in many cases the parameterized always operators and 
different variables for parameterized eventually operators are not necessary. 

Motivated by this, Kupferman et al. introduced PROMPT-LTL ifT^ . which can be seen as the frag¬ 
ment of PLTL without the parameterized always operator and with a single bound k for the parameterized 
eventually operators. They proved that PROMPT-LTL model checking is PS PACE-complete and solv¬ 
ing PROMPT-LTL games is 2ExpTlME-complete, i.e., not harder than LTL games. While the results 
of Alur et al. rely on involved pumping arguments, the results of Kupferman et al. are all based on the 
so-called alternating color technique, which basically allows to reduce PROMPT-LTL to LTL. Further¬ 
more, the result on PROMPT-LTL games was extended to PLTL games ll20l . again using the alternating 
color technique. These results show that adding parameters to LTL does not increase the asymptotic com¬ 
plexity of the model checking and the game-solving problem, which is still true for even more expressive 

logics lISlIIIl- 

The synthesis problems mentioned above assume a setting of complete information, i.e., every part 
of the system has a complete view on the system as a whole. However, this setting is highly unrealistic 
in virtually any system. Distributed synthesis on the other hand, is the problem of synthesizing multiple 
components with incomplete information. Since there are specifications that are not implementable, one 
differentiates synthesis from the corresponding decision problem, i.e., the realizability problem of a for¬ 
mal specification. We focus on the latter, but note that from the methods presented here, implementations 
are efficiently extractable from a proof of realizability. 

The realizability problem for distributed systems dates back to work of Pnueli and Rosner in the 
early nineties ifTTl . They showed that the realizability problem for LTL becomes undecidable already 
for the simple architecture of two processes with pairwise different inputs. In subsequent work, it was 
shown that certain classes of architectures, like pipelines and rings, can still be synthesized automati¬ 
cally II131I15L Later, a complete characterization of the architectures for which the realizability problem 
is decidable was given by Finkbeiner and Schewe by the information fork criterion f7]- Intuitively, an 
architecture contains an information fork, if there is an information flow from the environment to two 
different processes where the information to one process is hidden from the other and vice versa. The 
distributed realizability problem is decidable for all architectures without information fork. Beyond de¬ 
cidability results, semi-algorithms like bounded synthesis fS] give an architecture-independent synthesis 
method that is particularly well-suited for finding small-sized implementations. 

Our Contributions. As mentioned above, one can add parameters to FTF for free: the complexity 
of the model checking problem and of solving infinite games does not increase. This raises the ques¬ 
tion whether this observation also holds for the distributed realizability of parametric temporal logics. 
For synchronous systems, we can answer this question affirmatively. For every class of architectures 
with decidable FTF realizability, the PROMPT-FTF realizability problem is decidable, too. To show 
this, we apply the alternating color technique |[T2l to reduce the distributed realizability problem of 
PROMPT-FTF to the one of FTF: one can again add parameterized operators to FTF for free. 

For asynchronous systems, the environment is typically assumed to take over the responsibility for 
the scheduling decision ifT^ . Consequently, the resulting schedules may be unrealistic, e.g., one process 
may not be scheduled at all. While fairness assumptions such as “every process is scheduled infinitely 
often” solve this problem for FTF specifications, they are insufficient for PROMPT-FTF: a fair sched¬ 
uler can still delay process activations arbitrarily long and thereby prevent the system from satisfying its 
PROMPT-FTF specification for any bound k. Bounded fair scheduling, where every process is guar¬ 
anteed to be scheduled in bounded intervals, overcomes this problem. Since bounded fairness can be 
expressed in PROMPT-FTF, the realizability problem in asynchronous architectures can be formulated 
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more generally as an assume-guarantee realizability problem that consists of two PROMPT-LTL specifi¬ 
cations. We give a semi-decision procedure for this problem based on a new method for checking empti¬ 
ness of two-colored Biichi graphs 1121 and an extension of bounded synthesis ||8l. As asynchronous LTL 
realizability for architectures with more than one process is undecidable |fl9]| . the same result holds for 
PROMPT-LTL realizability. Decidability in the one process case, which holds for LTL ifT^ . is left open. 

All these results also hold for PLTL and even stronger logics 1611211 to which the alternating color 
technique is still applicable. 

Related Work. There is a rich literature regarding the synthesis of distributed systems from global 
ft)-regular specifications |l4l|7l|T3l[T5l[T7l|T8l. We are not aware of work that is concerned with the realiz¬ 
ability of parameterized logics in this setting. For local specifications, i.e., specifications that only relate 
the inputs and outputs of single processes, the realizability problem becomes decidable for a larger class 
of architectures |[T4l . An extension of these results to context-free languages was given by Fridman and 
Puchala f9|. The realizability problem for asynchronous systems and LTL specifications is undecidable 
for architectures with more than one process to be synthesized llT9ll . Later, Gastin et al. showed decid¬ 
ability of a restricted specification language and certain types of architectures, i.e., well-connected ifTTll 
and acyclic i fTOl l ones. Bounded synthesis [^] provides a flexible synthesis framework that can be used 
for synthesizing implementations for both the asynchronous and synchronous setting. 

2 Prompt LTL 

Throughout this work, we fix a set AP of atomic propositions. The formulas of PROMPT-LTL are given 
by the grammar 

(p ::= a \ -'al (p Atp \ (pV (p \ X(p \ (pV (p \ (pRtp \ Fp(p , 

where a E AP is an atomic proposition, -',A,V are the usual boolean operators, and X,U,R are LTL 
operators next, until, and release. We use the derived operators tt := a V -la and ff := a A -la for some 
fixed a E AP, and F (p := ttU (p and Gcp '.= ff R (p as usual. Furthermore, we use (p —)• tp^ as shorthand for 
-i(p V tp, if the antecedent (p is a (negated) atomic proposition (where we identify -i-ia with a). We define 
the size of tp to be the number of subfomulas of (p. The satisfaction relation for PROMPT-LTL is defined 
between an ft)-word w = woWiW 2 • • • E (2^^)®, a position n of w, a bound k for the prompt-eventually 
operators, and a PROMPT-LTL formula. For the LTL operators, it is defined as usual (and oblivious fo 
k) and for fhe prompf-evenfually we have 

• (>v,n,k) 1= Fp (p if, and only if, fhere exisfs a j in fhe range 0<j<k such fhaf {w,n + j,k) 1= tp. 

For fhe sake of brevity, we write (w,k) 1= tp instead of (w,0,k) 1= tp and say fhaf w is a model of tp wifh 
respecf fo k. Note fhaf {w,n,k) 1= tp implies {w,n,k') 1= tp for every k' > k, i.e., salisfaclion wifh respecf fo 
k is an upwards-closed properly. 

The Alternating Color Technique. In this subsection, we recall the alternating color technique, which 
Kupferman et al. introduced to solve model checking, assume-guarantee model checking, and the realiz¬ 
ability problem for PROMPT-LTL specifications |[T2l . 

Let r ^ AP be a fixed fresh proposition. An ft)-word rv' E (2^^^^'"^) is an r-coloring of rv E (2^^) ^ 
if w'^ n AP = w„, i.e., >v„ and rv^ coincide on all propositions in AP. The additional proposition r can be 
thought of as the color of : we say that the color changes at position n, if n = 0 or if the truth values 
of r in w^_j and in wj, are not equal. In this situation, we say that n is a change point. An r-block is a 
maximal infix >v'„ such that the color changes at m and n + \, but not in between. 
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Let /: > 1: we say that w' is k-spaced if the color changes infinitely often and each r-block has length 
at least k; we say that w' is k-bounded, if each r-block has length at most k. Note that k-boundedness 
implies that the color changes infinitely often. 

Given a PROMPT-LTL formula (p, let relr{(p) denote the formula obtained by inductively replacing 
every subformula Fp t/r by 

(r ^ (rlJ (-irlJ relr{^)))) A (-r —)■ (-irlJ (rlJ relr{Y)))) , 

which is only linearly larger than (p and requires every prompt eventually to be satisfied wifhin af mosf 
one color change (nol counting fhe posifion where t/r holds). Furfhermore, fhe formula altr = GF r A 
GF^r is satisfied if fhe colors change infinilely oflen. Finally, we define fhe LTL formula Cr{(p) = 
relr{(p) /\altr. Kupferman el al. showed lhaf (p and Cr{(p) are in some sense equivalenl on ft)-words which 
are bounded and spaced. 

Lemma 1 (Lemma 2.1 of US). Let (p be a PROMPT-LTL /onnu/a, and let w € (2^^)*”. 

1. If(w,k) 1= (p, then w' 1= Cr{(p)for every k-spaced r-coloring w' ofw. 

2. Ifw' is a k-bounded r-coloring ofw with w' 1= Cr{(p), then {w,2k) 1= (p. 

Whenever possible, we drop fhe subscripl r for fhe sake of readabilily, if r is clear from conlexf. 
However, when we consider asynchronous syslems in SeclionlH we need lo relafivize Iwo formulas wilh 
differenl colors, which necessifafes fhe inlroduclion of fhe subscripls. 

3 Synchronous Distributed Synthesis 

PROMPT-LTL specifications can give guaranfees lhaf LTL cannol, for example by asserling nof only 
lhaf requesls lo a syslem are answered eventually, bul also lhaf Ihere is an upper bound on fhe reaction 
time. This is especially imporlanl in dislribuled syslems, since such liming conslrainls become more 
difficulf lo implemenl because of informalion flows belween fhe various parts of fhe syslem. 

Consider for example a dislribuled compufafion syslem, where a cenfral masler gels important and 
unimportant fasks, and can forward lasks lo a number of clienls. A clienf can eifher enqueue fhe fask, 
which means lhaf if will be processed eventually, or clear fhe clienf-side queue and process fhe fask 
immedialely. The latter operation is very cosily (we have lo remember Ihe open lasks as Ihey still need lo 
be completed), bul guarantees an upper bound on fhe completion time. While in LTL we can only specify 
lhal all incoming lasks are processed evenlually, in PROMPT-LTL we can specify lhal Ihe answer time 
lo imporlanl lasks is bounded by Ihe formula G{important-task —)■ Fp finished-task)^ 

We continue by formalizing Ihe dislribuled realizabilily problem. Lei X and Y be finite and pairwise 
disjoinl sels of variables. A valuation of A is a subsel of A; Ihus, Ihe sel of all valuations of A is 2^. For 
w = W 0 W 1 W 2 • • • € (2^)® and w' = • • • € (2^)®, lei w U w' = (wq U Wq)(wi U Wj)(w 2 U w' 2 ) • • • € 

(2xur)®_ 

Strategies. A strategy f: (2^)* if maps a history of valuations of A to a valuation of Y. A 2^- 
labeled 2^-transition system is a tuple {S,so,A,l) where 5 is a finite set of states, sq ^ S is the 
designated initial state, A: 5 x 2^ —> 5 is the transition function, and Z: S ^ 2^ is the state-labeling. 

'a similar constraint could be simulated in LTL by writing that on every important incoming task, the worker queues are 
cleared. This, however, removes implementation freedom and requires the developer to determine how to implement the feature, 
instead of letting the synthesis algorithm decide. 
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We generalize the transition function to sequences over 2^ by defining A*: (2^)* —> S recursively as 
A*(£) =so and A*(>vo-"W„_i>v„) = A(A*(>vo-">v„_i),>v„) for wo---Wn-iWn G (2^)^- A transition sys¬ 
tem y’ generates the strategy / if /(w) = Z(A*(w)) for every w G (2^)*. A strategy / is called finite-state 
if there exists a transition system that generates /. 

Let X' and Y' be finite and disjoint sets where X' is additionally disjoint from Y and Y' is additionally 
pairwise disjoint from X and Y. Further, let /: (2^)* —> 2^ and /': (2^)* 2^ be two strategies with 

the same domain but pairwise different co-domain 2^ and 2^ . The product f x. f \ (2^)* ^ 2^^^ of / 
and f is defined as (/ x f'){w) = /(w) U/'(w) for every w G (2^)*. The 2^-projecfion of a sequence 
WQ-'-Wn G (2^^^')* is proj 2 x(wo ■ ■■Wn) = (wonX) ■ • • (>v„nX) G (2^)*. The 2^'-widening of a sfrafegy 
/: (2^)* —>■ 2^ is defined as wide 2 x'(/): (2^^"*^^)* —>■ 2^ wifh wide 2 x'(/)(w) = /(proj 2 x(>v)) for w G 
For sfrafegies /: (2^)* 2^ and f : (2^')* 2^', fhe distributed product f ^ f: (2^^^^)* — > 

2^^^ is defined as fhe producf wide 2 x'\x (/) x wide 2 x\x' {f')- 

The behavior of a sfrafegy /: (2^)* —> 2^ is characferized by an infinife free fhaf branches by fhe 
valuations of X and whose nodes w G (2^)* are labeled wifh fhe sfrafegic choice f(w). For an infi¬ 
nife word w = woWiW 2 '-' G (2^)®, fhe corresponding labeled pafh is defined as (f(s) Uwo)(/(wo) U 
w\){f{w()W\)yJw 2 ) • • • G (2^^^)®. We liff fhe sef confainmenf operator G to fhe confainmenf of a labeled 
pafh w = wo>viW 2 ■ • ■ G (2^^^)® in a sfrafegy free induced by /: (2^)* 2^, i.e., w G / if, and only 

if, /(e) = Wo n T and /((wq nX) • • ■ (w,- nX)) = >v,+i D Y for all i > 0. We define fhe satisfaction of a 
PROMPT-LTL formula (p (over proposifions X U T) on sfrafegy / wifh respecf fo fhe bound k, wriffen 
(/, k) \= tp for shorf, as (w, k) Y tp for all pafhs w ^ f. 


Distributed Systems. We characterize a distributed system as a set of processes with a fixed communi¬ 
cation topology, called an architecture in the following. Recall that AP is the set of atomic propositions 
used to build formulas. An architecture is a tuple (P,penv, {^pjpeP, {Opjpep}, where P is the finite set 
of processes and pg„y G P is the distinct environment process. We denote by = P \ {pem} the set of 
system processes. 

Given a process p ^ P, the inputs and outputs of this process are AP and Op C AP, respec¬ 
tively, where we assume = 0. We use the notation Ipi and Opi for some P' P for UpeP'^p 
Upgp' Op, respectively. While processes may share the same inputs (in case of broadcasting), the outputs 
of processes must be pairwise disjoint, i.e., for all p ^ p' ^ P it holds that Op n Op = 0. 

An implementation of a process p G P^ is a strategy fp : {2^p)* —>■ 2^p mapping finite input sequences 
to a valuation of the output variables. 



Figure 1: Example architectures 

Example 1. Figure [T] shows example architectures and where 

M = ({Penv,Pl,P2},Pem-,{Pem- ->0,Pl ^ {a},P2 “S' {b}},{penv {a,b},pi {c},P2 ^ W}), and 

■^2 = {{Pem’,PUP2},Pem’,{Penv ^®,Pl ^ {a:},P2 {b}},{penv {a},Px {b},P2 {c}}) • 
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The architecture in Fig. |l(a)| contains two system processes, pi and p 2 , and the environment process 
Penv The processes pi and p 2 receive the inputs a, respectively b, from the environment and output c 
and d, respectively. Hence, the environment can provide process p\ with information that is hidden from 
P 2 and vice versa. In contrast, architecture £^ 2 , depicted in Fig. |l(b)[ is a pipeline architecture where 
information from the environment can only propagate through the pipeline processes p\ and p 2 . 


Distributed Realizability. Let ^ = {P,penv,{lp}peP-i{Op}p€p) be an architecture. The distributed 
realizability problem for ^ is to decide, given a PROMPT-LTL formula (p, whether there exist a bound k 
and a finite-state implementation fp for every process p € P^, such that the distributed product ^p^p- fp 
satisfies tp wifh respecf fo k, i.e., {^p^p- fp,k) 1= cp. In fhis case, we say fhaf cp is realizable in The 
disfribufed realizabilify problem for LTL is a special case, as LTL is a fragmenf of PROMPT-LTL. 

Lef r AP be fhe fresh proposition infroduced for fhe alfernafing color fechnique fo relafivize formu¬ 
las and lef sZ = {P,Penv, {Ip}p£P, {Op}pizp) be an archifecfure as above. We define fhe archifecfure £/'' as 
(P U {pr},Penv, {Ip}peP U {Ir}, {Op}p(zp U {Or}), where Ir = d and Or = {r}. Infuifively, fhis describes 
an archifecfure where one additional process pr is responsible for providing sequences in (2^''^)“, i.e., 
a coloring by r. We show fhaf (p in £/ and Cr{(p) in are equi-realizable by applying fhe alfernafing 
color fechnique. As fhe processes are synchronized, fhe proof is similar fo fhe one for fhe single-process 
case by Kupferman ef al. 1(121 . 

Theorem 1. A PROMPT-LTL/ormnZa (p is realizable in sZ if, and only if Cr((p} is realizable in 

Proof Lef = (P,pe„v) {Op}p&p) be an archifecfure and cphea PROMPT-LTL formula. 

Assume fhaf fhe PROMPT-LTL formula tp is realizable in sZ. Then, fhere exisf finife-sfafe sfrafegies 
fp for p ^ P^ and a bound k satisfying fhe PROMPT-LTL disfribufed realizabilify problem , tp). For 
every w € ®p^p- fp, it holds fhaf {w,k) 1= tp. By Lemma fTTTl if holds fhaf every Z:-spaced r-coloring w' 
of w satisfies Cr(<p). Lef fr : (2®)* —> 2^''^ be a (finife-sfafe) sfrafegy fhaf produces fhe Z:-spaced sequence 
Then, fhe process implemenfafions {fpj^^p- fogefher wifh fr are a solution fo fhe LTL 
disfribufed realizabilify problem ,Cr{(p)). 

Now, assume fhaf fhe LTL formula Cr{(p) is realizable in fhe archifecfure sZ’’. Thus, fhere exisf 
finife-sfafe sfrafegies fp for p G P^ and a finife-sfafe sfrafegy fr for process pr. Nofe fhaf fhe sfraf¬ 
egy fr : (2®)* —> 2'(''( has a unique oufpuf Wr G (2(''(^)®, as if has no inpufs. We claim fhaf Wr is Z:-bounded, 
where k is fhe number of sfafes of fhe fransifion sysfem = (S,so,A,l} generating fr. To see fhis, nofe 
fhaf fr has no inpufs, i.e., every sfafe of 5^ has a unique successor in A, and fhe unique run of on 0® 
ends up in a loop which is fraversed ad infinifum. As fhe oufpuf Wr has infinifely many change poinfs, 
fhe loop confains al leasl one sfafe s labeled by l{s) = 0 and al Iasi one slate s' wifh l{s') = {r}. Thus, 
fhe maximal lenglh of a block of Wr is bounded by fhe lenglh of fhe loop, which in lurn is bounded by 
fhe size of JZ. 

Hence, for every w G <S>peP- fp^ ’^be word w^Uw is ak-bounded r-coloring of w wifh w^Uw 1= relr{(p). 
By Lemma [1121 for all such w if holds fhaf (w,2k) 1= cp. Hence, {fp}p^p- fogefher wifh fhe bound 2k is a 
solution fo fhe PROMPT-LTL disfribufed realizabilify problem. □ 

To conclude, we show fhaf fhe newly infroduced process pr preserves fhe information fork crite¬ 
rion Q. Formally, consider luples {P',V',p,p'), where P' is a subsel of fhe processes, V' is a subsef of 
fhe variables disjoinl from Ip Ulpi, and p,p' € P^ \P' are Iwo differenl processes. Such a fuple is an 
informalion fork in £/ if P' fogefher wifh fhe edges fhaf are labeled wifh al leasl one variable from V' 
forms a sub-graph of roofed in fhe environmenl and fhere exisf Iwo nodes q,q' G P' fhaf have edges 
fo p,p', respectively, such fhaf O^gpj ^ Ip/ and ^ Ip- For example, fhe archifecfure in Fig. |l(a)| 
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contains the information fork {{penv},®,PiiP 2 )-: while the pipeline architecture depicted in Fig. |l(b)| does 
not contain an information fork. 

Lemma 2. contains an information fork if and only if si contains an information fork. 

Proof The if direction follows immediately by construction: if {P',V',p,p') is an information fork in 
si then it is an information fork in s/'' as well. Hence, assume {P',V',p,p') is an information fork in 
s/''. It holds that neither Pr = p nor pr = p' since pr has no incoming edges. As Ip^ = 0, pr cannot be in 
a sub-graph that is rooted in the environment, hence, pr ^ P' and r ^ V'. It follows that {P’,V',p,p’) is 
an information fork in si. □ 

Thus, we can use well-known results for the decidability of distributed realizability for LTL and 
weakly ordered architectures fT], i.e., those without an information fork. 

Corollary 1. Let si be an architecture. The PROMPT-LTL distributed realizability problem for si is 
decidable if and only if is weakly ordered. 

Furthermore, we can directly apply semi-algorithms for the distributed realizability problem, such as 
bounded synthesis (HI, to effectively construct small-sized solutions. 

4 Asynchronous Distributed Synthesis 

The asynchronous system model is a generalization of the synchronous model discussed in the last sec¬ 
tion. In an asynchronous system, not all processes are scheduled at the same time. We model the 
scheduler as part of the environment, i.e., at any given time the environment additionally signals whether 
a process is enabled. The resulting distributed realizability problem is already undecidable for LTL 
specifications and systems with more than one process |[T9ll . 

We have to adapt the definition of the PROMPT-LTL realizability problem for the asynchronous 
setting. Using the definition from Section|3l the system can never satisfy a PROMPT-LTL formula if the 
scheduler is part of the environment, since it may delay scheduling indefinitely. Moreover, even if the 
scheduler is assumed to be fair, it can still build increasing delay blocks between process activation times, 
such that it is impossible for the system to guarantee any bound k € N. Hence, we employ the concept 
of bounded fair schedulers and allow the system valuations to depend on the scheduler bound. More 
generally, this is a typical instance of an assume-guarantee specification: under the assumption that the 
scheduler is bounded fair, the system satisfies ifs specificafion. In fhe following, we formally infroduce 
fhe disfribufed realizability problem for asynchronous sysfems and assume-guaranlee specificafions. 

To model scheduling, we infroduce an additional sef Sched = {schedp | p € } of atomic proposi- 

fions. The valuation of schedp indicafes whefher sysfem process p is currenfly scheduled or nof. Given 
a (synchronous) archifecfure si = {P,peny,{Ip}p^p,{Op}p^p), we define fhe asynchronous archifecfure 
si* as fhe archifecfure wifh fhe environmenf oufpuf = Op^^^, U Sched. Furfhermore, we exfend fhe 
inpuf Ip of a process by ifs scheduling variable schedp, i.e., 7* = /p U {schedp} for every p € P . The 
environmenf can decide in every sfep which processes to schedule. When a process is nof scheduled, 
ifs state —and fhereby ifs oufpufs—do nof change [8]. Formally, lef fp for p G be a finife-sfale im- 
plemenfafion for a process p and = {S,so,A,l) a fransifion system fhaf generates fp. For every pafh 
w = W 0 W 1 W 2 ■■■ G if holds fhaf if schedp ^ w, for some i G N, fhen A*(>v[/]) = A*(w[/-|- 1]), where 

w[/] denotes fhe prefix wowi • • • w,- of w. 

A PROMPT-LTL assume-guaranfee specificafion {(p,Y) consisfs of a pair of PROMPT-LTL for¬ 
mulas. The asynchronous assume-guarantee realizabilify problem asks, given an asynchronous archi- 
fecfure si* and {cp, t/r) as above, whefher fhere exisfs a finife-sfafe implemenfafion fp for every process 
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p such that for every bound k there is a bound I such that for every w € fp, we have that 

(w,k) 1= (p implies (w, I) 1= t/r. In this case, we say that 0pgp- fp satisfies 

Consider the bounded fairness specification discussed above, which is expressed by the formula (p = 
ApeP- GFpschedp, i.e., for every point in time, every p is scheduled within a bounded number of steps. 
That is, we use (p as an assumption on the environment which implies that the guarantee t/r only has to 
be satisfied if (p holds. Consider for example the asynchronous architecture corresponding to Fig. |l(a) 
and the PROMPT-LTL specification t/r = G(FpcAFp-icAFp(i A Fp —id). Even when we assume a fair 
scheduler, i.e., cp = GFschedp^ AGFschedp 2 , the environment can prevent one process from satisfying 
the specification for any bound 1. This problem is fixed by assuming the scheduler to be bounded fair, 
i.e., (p = GFpschedp^ AGFpschedp^. Then, there exist realizing implementations for processes pi and 
P 2 (that alternate between enabling and disabling the output), and the bound on the guarantee is I = 2-k 
for every bound k. 

Unlike LTL, where the assume-guarantee problem {(p,Y) can be reduced to the LTL realizability 
problem for the implication (p —)• t/r, this is not possible in PROMPT-LTL due to the quantifier alternation 
on the bounds. Indeed, it is still open whether the PROMPT-LTL assume-guarantee realizability problem 
in the single-process case is decidable. We show that even if the problem turns out to be decidable, an 
implementation that realizes the specification may need in general infinite memory. 

Lemma 3. There exists an assume-guarantee PROMPT-LTL specification that can be realized with an 
infinite-state strategy, but not with a finite-state strategy. 

Proof. Consider the assume-guarantee specification {(p,Y) with cp = GFpo V FG-io and t/r = ff and a 
single process architecture with 7 = 0 and O = {o}. As the guarantee t/r is false, the implementation 
has to falsify the assumption tp for every bound k on the prompt-eventually operator to realize {(p,^f). 
To falsify tp with respect to k, the implementation has to produce a sequence w G (2^"^)® where o is 
repeatedly true and where 0^ is an infix of w. Thus, the size of the implementation depends on k and an 
implementation that falsifies cp for every k must have infinite memory. □ 

Since the LTL realizability problem is undecidable and implementations for PROMPT-LTL assume- 
guarantee specifications may need infinite memory, the PROMPT-LTL assume-guarantee realizability 
problem for asynchronous architectures may be at best solvable by a semi-decision procedure. We 
present such a semi-algorithm for the asynchronous distributed realizability problem for assume-guarantee 
PROMPT-LTL specifications based on bounded synthesis [i^. In bounded synthesis, a transition system 
of a fixed size is “guessed” and model checked by a constraint solver. Model checking for PROMPT-LTL 
can be solved by checking pumpable non-emptiness of colored Biichi graphs lfT2l . However, the pumpa- 
bility condition cannot directly be expressed in the bounded synthesis constraint system. Hence, in 
Section im we give an alternative solution to the non-emptiness of colored Biichi graphs by a reduction 
to Biichi graphs that have access to the state space of the transition system. We use this result to build 
the semi-algorithm that is presented in Section IL21 

4.1 Nonemptiness of Colored Biichi Graphs 

In the case of LTL specifications, the nonemptiness problem for Biichi graphs gives a classical solution to 
the model checking problem for a given system JZ. Let tp be the LTL formula that SA should satisfy. In a 
preprocessing step, the negation of tp is translated to a nondeterministic Biichi word automaton AU.P fa. 
Then tp is violated by JZ if, and only if, the Biichi graph G representing the product of ,Z and 
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is nonempty. An accepting path K in G witnesses a computation of ^ that violates q). Colored BUchi 
graphs are an extension to those graphs in the context of model checking PROMPT-LTL |[T2l . 

A colored Biichi graph of degree two is a tuple G = {{r,r'},V,E,vo,L,t^) where r and r' are propo¬ 
sitions, P is a set of vertices, £" C P x P is a set of edges, vq G P is the designated initial vertex, 
L: P —)• describes the color of a vertex, and ^ = { 81 , 82 } is a generalized Biichi condition of 

index two, i.e., 81,82 CV. A Biichi graph is a special case where we omit the labeling function and are 
interested in finding an accepting path. A path 71 = voViV 2 • • ■ G P® is pumpable, if we can pump all its 
/-blocks without pumping its r-blocks. Formally, a path is pumpable if for all adjacent /-change points i 
and i', there are positions j, f, and j" such that i < j < / < j” < i', Vj = Vf and r G L{vj) if, and only if, 
r ^ L{vj'). A path 7t is accepting, if it visits both Bi and B 2 infinitely often. The pumpable nonemptiness 
problem for G is to decide whether G has a pumpable accepting path. It is NLogSPACE- complete and 
solvable in linear time lfT2ll . 

We give an alternative solution to this problem based on a reduction to the nonemptiness problem of 
Biichi graphs. To this end, we construct a non-deterministic safety automaton M^ump that characterizes 
the pumpability condition. Note that an infinite word is accepted by a safety automaton if, and only if, 
there exists an infinite run on this word. 

Lemma 4. Let G = {{r,/},V,E,vo,L,^) be a colored BUchi graph of degree two. There exists a BUchi 
graph G' with i^{\G'\) = ff{\G\^) such that G has a pumpable accepting path if, and only if G' has an 
accepting path. 

Proof. We define a non-deterministic safety automaton Mj,ump = (V x 2^''''^\s,S(),d,S) over the alphabet 
V X 2 ^'"'''} that checks the pumpability condition. The product of G and Mj,ump (defined later) represents 
the Biichi graph G' where every accepting path is pumpable. 

The language C (V x 2^''’''^)® of pumpable paths (with respect to a fixed set of vertices V) is 
an G)-regular language that can be recognized by a small non-deterministic safety automaton. This 
automaton Mjjump operates in 3 phases between every pair of adjacent /-change points: first, it non- 
deterministically remembers a vertex v and the corresponding truth value of r. Then, it checks that this 
value changes and thereafter it remains to show that the vertex v repeats before the next /-change point. 
Thus, the state space S of M^ump is 


{^o} U I V G y,x G 2i''''''i| U 


vGy,yG2i'-''''>}u{<|zG2i'''i} 


and the initial state is sg. The state space corresponds to the 3 phases: In the states s^j^ a vertex v and 
a truth value of r are remembered, before state s{y the value of r changes, and s" is the state after the 
vertex repetition. The transition function 5: (S x (F x 2^'’'’i)) ^ 2^ is defined as follows: 


• 5(5o,(v,x)) = {5v,;c} 


• 5[sv^,{v',x'))3 

• 8 [s”,{v,x)) 9 ( 


^v,x 

if X ={,•'} 7^ 


if X ={,/}/ 

Ay 

if X ={r'} x' and x 

Ay 

if X ={r'} y and v' 

s" 

Vf'-'} 

if X ={r>} y and v = v 


< ifA={,,}Z 

^v,x if3^ 
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where A =c B is defined as (AnC) = (BnC). The size of ^ump is in C?(|T|). Figure |2] gives a visual¬ 
ization of this automaton. 



Figure 2: Schematic visualization of the automaton from the proof of Lemma|4] The 3 phases are 

clearly visible: In the red states (solid rectangles) the values {v,x) are non-deterministically stored 
and those states can only be left if there is a change in the value of r. The subsequent blue states s[,y 
(dashed rectangles) can only be left in case of a vertex repetition leading to the green state s" (dotted 
circles) that waits for the next / change point. 


Remark 1. Note that in the context of this proof, it would be enough to remember a vertex v without 
the valuation of {r, /} as the vertex determines the valuation by the labeling function L: v —)• 2(''’'' ( of G. 
However, we will later use Zf^ump in a more general setting (cf. Section IA21) . 

We define the product G' of the colored Biichi graph G = {{r,r'},V,E,vo,L,^) and the automa¬ 
ton cA^ump as the Biichi graph {V x S,E', (vo,so),^'), where 

((va),(v'a')) {v,v') eE As'€ d{s,{v,L{v))) 

and where is given by Bj = {(v,^) | v G B; and s € S} for i G {1,2}. The size of G' is in 

^{\Gf). It remains to show that G has a pumpable accepting path if, and only if, G' has an accepting 
path. 

Consider a pumpable accepting path n in G. We show that there is a corresponding accepting path 
7i' in G'. Let i and f be adjacent r'-change points. Then there are positions j, /, and j" such that 
i < j < f < j" < i', Vj = Vj" and r G E{vj) if, and only if, r ^ E{vji). By construction, at position 
i, automaton ^ump is some state from the set {so,s'q,s'I^^,-^}. We follow the automaton and remember 
vertex v and the truth value of r at position j > i (some state Sy^x)- Next, we take the transition to s'^y 
where the truth value of r changes (at position /). Lastly, we check that there is a vertex repetition (at 
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position j") and go to state s”. At the next /-change point the argument repeats. This path is accepting, 
as the original one is accepting. 

Now, consider an accepting path 7t in G'. We show that there is a pumpable accepting path in G. Let 
7t' be the projection of every position of 7t to the first component. By construction, 7t' is an accepting 
path in G. Let Ttilti^i ■ ■ ■ Ttf be an /-block of 7t. As Tt has a run on automaton ^ump^ we know that there 
exists a state repetition between i and i' where the truth value of r changes in between. Hence, the path 
7t' is pumpable. □ 

4.2 A Semi-Algorithm for Assume-Guarantee Realizability 

As the assume-guarantee realizability problem for asynchronous architectures is undecidable and infinite- 
state strategies are required in general, we give a semi-decision procedure for the problem, as an exten¬ 
sion of the bounded synthesis approach f8j. Based on an LTL specification cp, an architecture £/, and 
a size bound b, bounded synthesis separately considers the problems of finding a global transition sys¬ 
tem that satisfies the given specification, and of dividing the transition system into local components 
according to the given architecture. To this end, two sets of constraints are generated: an encoding of 
the satisfaction of (p by a global transition system ^ of size b, and an encoding of the architectural 
constraints that divides this global system into local components. If the conjunction of both sets of con¬ 
straints is satisfiable, then a model of the constraints represents a distributed system that satisfies tp in 
. Since the architectural constraints we consider are the same as in standard bounded synthesis, we 
only have to modify the constraints encoding the existence of a global transition system that satisfies the 
given specification. 

In the following, we use the techniques developed in the last subsection to generalize the encod¬ 
ing of the specification from a single LTL formula tp to an assume-guarantee specification {(p,Y) iii 
PROMPT-LTL. Given an assume-guarantee specification (<p, we first solve the problem of model¬ 
checking assume-guarantee specifications by building a universal co-Buchi tree automaton that ac¬ 
cepts a transition system ^ if, and only if, satisfies (<p, tp). From and a given bound b, we then 
build a constraint system that is satisfiable if, and only if, an implementation ^ oi {tp, tp) with size b ex¬ 
ists. Finally, the encoding of architectural constraints can be adopted without changes from the original 
approach to obtain a conjunction of constraints that is satisfiable if, and only if, there is a system of size 
b that satisfies {tp, tp) in ^. 


Encoding (<p, tp) into Biichi automata. Let .( 2 /* = (P,p,„v,{/;}pep,{0;}pep) be an asynchronous ar¬ 
chitecture and let 7 = and O = Upep- O*^ be the set of inputs, respectively outputs, of the composi¬ 
tion of the system processes. First, we construct the non-deterministic Biichi automaton ^j(y/)Ac,((p) = 
where Cr'iv) = A-ireZp(tp) whose language contains exactly those paths 
that satisfy Cr'(v) ACr(ip) fS. 

Lemma 5 (cf. Theorem 6.2 of lfT2l l. Let ^ be a 2^ -labeled 2^ -transition system. Then T/ does not 
satisfy (tp, tp) if, and only if the product of and ^j(y/)Acr((p) pumpable non-empty. 

To check the existence of pumpable error paths, we use the non-deterministic automaton Mpump = 
(Fx2{''’'''},S ,sq,5',S) from the proof of Lemma ID Here, we let F = A x Q, where A is a set with b 
elements, representing the state space of the desired solution ST, and Q is the state space of the automa¬ 
ton ^j(\if)Acr(i(>) defined above. That is, we use as V the state space A x 2 of the colored Biichi graph 
that is used to model check an implementation S^ against a specification (tp, tp). 
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The product of ^,(i^)Acdip) -^ump is an automaton that operates on the inputs I, outputs 
O, propositions {r,/}, and the state space X of the implementation, and accepts all those paths that are 
pumpable and violate the assume-guarantee specification (cf. LemmalUl. 
is defined as 

{2^^oAr/}^X,QxS,{qo,so),5*,B*), 
where 5*: Qx S x x {x} is defined as 

= {(<?',I q^5{q,a) A € 5'(5,{^,x}U(an{r,r'}))} , 

and B* is fhe Biichi condifion {(< 7 , 5 ) \ q £ B,s €S}. 

We complemenf , resulting in a universal co-Biichi aufomafon ^ fhaf accepfs a given sequence 
w G i) ® of inpufs and fhe behavior of an implemenfafion ^5^ on w iff fhe execution of ^5^ on w safis- 

fies (y, (p)- Finally, we consfrucf a universal co-Biichi free automaton = (2^ xX,2^'^^’'’''\Q,qo, 5,a) 
by spanning a copy of for every direcfion in 2^^^'’’’' h Then, an implemenfafion A is accepfed by 
if, and only if, A safisfies (<p,t/r) (for all possible inpuf sequences). Thus, solves fhe problem of 
model-checking assume-guaranfee specificafions. 

Encoding the automaton into constraints. Now, we use a slightly modified bounded synthesis algo¬ 
rithm 18 ] to encode into a set of constraints in a first-order theory with uninterpreted functions and 
a total order, such that the constraints are satisfiable iff there exists an implementation A that satisfies 
((p,Y}- The main difference to the existing approach is that the specification automaton has access to 
the states of the implementation A. This is not a problem, since the generated constraints explicitly refer 
to the state space of A anyway. The original proof of correctness can be used with minor modifications 
to obtain the following corollary. 

Corollary 2. Given an assume-guarantee specification {tp, y) tmd a bound b, there is a constraint system 
(in a decidable first-order theory) that is satisfiable if, and only if, there exist an implementation A of 
size b such that A satisfies {(p, y)- 

Encoding of architectural constraints. As mentioned above, the encoding of architectural constraints 
can be adopted without changes, and it can in particular also contain additional bounds on the state space 
of every single component the conjunction of both sets of constraints then asks for the existence of a 
distributed implementation A = fp of size b that satisfies {(p,Y), possibly with additional bounds 

bp for every p £ P on the size of the components. Thus, we obtain: 

Theorem 2. Given an assume-guarantee specification {(p, y)> tin asynchronous architecture sZ*, and a 
family of bounds bp for every p £ P , there is a constraint system (in a decidable first-order theory) that 
is satisfiable if, and only if, there exist implementations fp of size bp for every p £ P such that fp 

satisfies {(p,Y) in sZ*. 

By exhaustively traversing the space of bounds (bp)p^p- and by solving the resulting constraint 
system as in the previous theorem, we obtain a semi-algorithm for the asynchronous assume-guarantee 
realizability problem for PROMPT-LTL. Furthermore, this also solves the synthesis problem, as imple¬ 
mentations are efficiently obtained from a satisfying assignment of the constraint system. 

Corollary 3. Let ^ be an asynchronous architecture. The PROMPT-LTL distributed assume-guarantee 
realizability problem for sZ is semi-decidable. 
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5 Conclusion 

In this paper, we have initiated the investigation of distributed synthesis for parameterized specifications, 
in particular for PROMPT-LTL. This logic subsumes LTL, but additionally allows to express bounded 
satisfaction of system properties, instead of only eventual satisfaction. To the best of our knowledge, this 
is the first treatment of PROMPT-LTL specifications in distributed synthesis. 

We have shown that for the case of synchronous distributed systems, we can reduce the PROMPT-LTL 
synthesis problem to an LTL synthesis problem. Thus, the complexity of PROMPT-LTL synthesis corre¬ 
sponds to the complexity of LTL synthesis, and the PROMPT-LTL realizability problem is decidable if, 
and only if, the LTL realizability problem is decidable. For the case of asynchronous distributed systems 
with multiple components, the PROMPT-LTL realizability problem is undecidable, again correspond¬ 
ing to the result for LTL. For this case, we give a semi-decision procedure based on a novel method 
for checking emptiness of two-colored Biichi graphs. All these results also hold for PLTL and the even 
stronger logics from IHEll, as they have the exponential compilation property and as the alternating 
coloring technique is applicable to these logics as well. 

Among the problems that remain open is realizability of PROMPT-LTL specifications in asyn¬ 
chronous distributed systems with a single component. This problem can be reduced to the (single¬ 
process) assume-guarantee realizability problem for PROMPT-LTL, which was left open in ifT^ . 
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